Directadmin and Backup encryption for GDPR compliance

An ability to encrypt backups from all levels will be available with a new release of Directadmin, and it can be already tested with a pre-release binary. Implemented to be GDPR compliant.

Use the feature to store encrypted backups remotely, if you store them locally (your system still stores a password used for encryption) they can be decrypted without much efforts.

Directadmin developers flagged the feature as BETA at the moment of writing this article. So please do testing of it first to make sure it's working fine for you. We've already tested it on our end, and it works fine for us.

• Details can be found here https://directadmin.com/features.php?id=2117
  

Let's Start

Whether or not a directadmin on your server supports this feature you can test with the following command:

/usr/local/directadmin/directadmin c | grep allow_backup_encryption=

It's expected to see either:

allow_backup_encryption=0

or

allow_backup_encryption=1

If the command does not return anything, or returns results different from listed above, then you have too old Directadmin version. IF your directadmin version is too old and does not include this feature you should update Directadmin or install a pre-release binary. Allow backup encryption To allow backup encryption please run the following command:

grep -m1 -q ^allow_backup_encryption= /usr/local/directadmin/conf/directadmin.conf && perl -pi -e "s#allow_backup_encryption=.*#allow_backup_encryption=1#" /usr/local/directadmin/conf/directadmin.conf || echo allow_backup_encryption=1 >> /usr/local/directadmin/conf/directadmin.conf

Control it once more with the same command:

/usr/local/directadmin/directadmin c | grep allow_backup_encryption=

this time we should see:

allow_backup_encryption=1

Restart directadmin:

service directadmin restart

Run backups 

Now login as admin/reseller or user and enable backup encryption.

Now you should have a Backup Encryption field, enter your secret password there to get backups encrypted with it. Omit for no encryption.

Encoded backups will have an .enc ending in their names.

admin.root.admin.tar.gz.enc

That's it. 

Dealing with errors 

Since it's still beta some errors might happen.

If Directadmin crashes and/or an issue with permissions happens try and set 755 permissions to the scripts:

chmod 755 /usr/local/directadmin/scripts/*crypt_file.sh

to get:

-rwxr-xr-x 1 diradmin diradmin 536 Apr 21 13:45 /usr/local/directadmin/scripts/decrypt_file.sh
-rwxr-xr-x 1 diradmin diradmin 536 Apr 21 11:53 /usr/local/directadmin/scripts/encrypt_file.sh

Insights 

A password for backups created at Admin level is stored in /usr/local/directadmin/data/admin/backup.conf (base64 encoded). You can see it with:

cat /usr/local/directadmin/data/admin/backup.conf | grep ^encryption_password= backup.conf | cut -d\= -f2- | base64 -d

To decrypt a backup file manually you can run the following commands:

cat /usr/local/directadmin/data/admin/backup.conf | grep ^encryption_password= backup.conf | cut -d\= -f2- | base64 -d > /root/.enc_password
cd /home/admin/admin_backups/
/usr/local/directadmin/scripts/decrypt_file.sh admin.root.admin.tar.gz.enc admin.root.admin.tar.gz /root/.enc_password

Usage:

/usr/local/directadmin/scripts/decrypt_file.sh <encryptedin> <fileout> <passwordfile>

To encrypt a backup manually you can run the following commands (make sure to have a plain-text password in /root/.enc_password):

cd /home/admin/admin_backups/
/usr/local/directadmin/scripts/encrypt_file.sh admin.root.admin.tar.gz admin.root.admin.tar.gz.enc /root/.enc_password

Usage:

/usr/local/directadmin/scripts/encrypt_file.sh <filein> <encryptedout> <passwordfile>